I followed these guidelines, but this is not fine grained enough.
http://confluence.atlassian.com/display/DOC/Global+Permissions+Overview#GlobalPermissionsOverview-confluenceadmin

We need to prevent space admin adding new permission to their space.
We prefer to manage space permission by the confluence-adminitrators

The reason is that users (including space admins) are not aware of all the users that have access to confluence.
As an example, the RH users will see only RH space, so they (wrongly) beleive that confluence is for RH only and when someone does not have access to their space, they add the 'confluence-users' group with at least 'view' permissions.

We first try to train/limit the number of people, but after 6 months, this was such a mess that we decided to remove all space admin permission.
Currentlyn confluence-administrators (ie IT) are under pressure because they need to:

• communicate about who has which permission
• do all the other space admin (layout, unrestrict a page).

Therefore, I would like to have the 'admin' permission split into 2 permissions:

• 'admin' except edit permission
• edit space admin permissions
  The users with 'edit space admin' permissions would be the only ones entitled to add new users/groups in the permission form.